[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Mon Aug 4 13:22:50 MDT 2014

On 04/08/14 20:12, Ryan Ashley wrote:
> I forgot to mention, I am running BIND9. I created the reverse zones 
> in AD using the snap-in on a Windows 7 Pro 64bit system. DHCP does 
> update DNS, but the reverse zones are always ignored, at all 
> locations. I also forgot to mention that all three systems are running 
> 4.1.10 stable. They were running 4.2.0 pre something.

Please post dhcpd.conf from your samba4 AD DC, the setup works with 
bind9.9 and dhcp, but it must be correctly set up.

> How do I give these groups uID or gID numbers? Are you suggesting I 
> create them on the Linux box?

Probably easiest if you the windows RSAT tools (ADUC) on a windows 
machine, but then again you should already be doing this seeing as how 
you are using the winbind ad idmap backend.


> Finally, the DN should not matter since it affects all users, and that 
> is a LOT of typing for ever domain user. If it is required I will do 
> it, but since only the domain admin can do this, it seems as though a 
> user's DN is irrelevant. If it was some users and not others, I'd have 
> already checked the groups, DN, etc.
> On 08/04/2014 02:58 PM, Rowland Penny wrote:
>> On 04/08/14 19:24, Ryan Ashley wrote:
>> Funny that, the reverse-dns zone never working with S4, that is. It 
>> works for me and has been doing for quite some time, but you never 
>> answered how you are running the dns & dhcp, are you using the 
>> internal dns server or bind9 ? how are you getting dhcp to update dns ?
>> The ID numbers that you have posted are in the 'builtin' range 
>> '70001-80000', probably the best way out of your problem is to trace 
>> the users & groups that these numbers match and then give them 
>> uidNumber's & gidNumber's.
>> DN stands for distinguished name, for instance, the DN of 
>> Administrator on your AD DC will be 
>> CN=Administrator,CN=User,DC=truevine,DC=lan
>> truevine.lan is NOT the FQDN, that would be DC01.truevine.lan for 
>> instance, truevine.lan is the domain name or kerberos realm.
>> Haven't a clue what 'ute' is, perhaps Steve does ??
>> Rowland
>>> On 08/03/2014 02:55 AM, steve wrote:
>>>> On Sun, 2014-08-03 at 00:19 -0400, Ryan Ashley wrote:
>>>>> I am still trying to get this to work. Is S4 incapable of being a
>>>>> file-server as a member server? I run ONLY DNS and DHCP on my AD DC
>>>>> servers. I have a dedicated S4 print server that appears to work
>>>>> perfectly, but sharing files is critical and I have now been down for
>>>>> three weeks. Winbind resolves users and groups, everything looks 
>>>>> good, I
>>>>> have tried what has been suggested before, but now I am becoming
>>>>> desperate. The system cannot find this "idmap ad" backend. What in 
>>>>> the
>>>>> heck is it and how do I get it or build it? Everything is working 
>>>>> except
>>>>> this basic functionality which is REALLY need!
>>>> OK. Time to summarise.
>>>> smb.conf on DC
>>>> samba version on DC
>>>> samba version on working print server
>>>> smb.conf on working print server
>>>> the DN of the user who trips the 'idmap ad' error (ute)
>>>> host <hostname of DC>
>>>> host <hostname of print server>
>>>> host <ip of DC>
>>>> host <ip of print server>
>>>> getent passwd ute
>>>> groups ute
>>>> getfacl <path to share where ute is accessing>
>>>> /etc/fstab
>>>> With that we stand a chance.
>>>> Cheers,
>>>> Steve
>>>>> On 7/31/2014 12:04 PM, Ryan Ashley wrote:
>>>>>> I made a strange discovery this morning. If I attempt to map the 
>>>>>> drive
>>>>>> using the server's IP address, I get invalid password. If I 
>>>>>> attempt to
>>>>>> map it using the hostname, it flat out denies access.
>>>>>> C:\Users\reach_support>net use s: \\\staff$ /persistent:no
>>>>>> Enter the user name for '': reach_support
>>>>>> Enter the password for
>>>>>> System error 86 has occurred.
>>>>>> The specified network password is not correct.
>>>>>> C:\Users\reach_support>net use s: \\fs01\staff$ /persistent:no
>>>>>> Enter the user name for 'fs01': reach_support
>>>>>> Enter the password for fs01:
>>>>>> System error 5 has occurred.
>>>>>> Access is denied.
>>>>>> C:\Users\reach_support>
>>>>>> This REALLY looks like an S4 bug to me. Why would it give different
>>>>>> errors if using a hostname versus the static IP? The hostname simply
>>>>>> resolves to the IP anyway. Is there anything we can do now?
>>>>>> On 07/30/2014 10:18 AM, Ryan Ashley wrote:
>>>>>>> Sorry for the delay. I am in eastern time and have been busy with
>>>>>>> another project. I cannot convert that ID to SID. In Windows 
>>>>>>> however,
>>>>>>> this shows as "SYSTEM". How do I know? Simple, there are only three
>>>>>>> things listed. Those are "Domain Admins", "Administration", and
>>>>>>> "SYSTEM". Also, what do you mean by "ntadmins" being local? I have
>>>>>>> added no groups to the Linux systems, so if you're asking if it 
>>>>>>> is a
>>>>>>> local group on the Linux box, no it is not. I can remove the SYSTEM
>>>>>>> account from the share if needed, but it is on all Windows 
>>>>>>> shares as
>>>>>>> well and causes no issues.
>>>>>>> failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
>>>>>>> Could not convert uid 70028 to sid
>>>>>>> On 7/30/2014 6:01 AM, steve wrote:
>>>>>>>> On Tue, 2014-07-29 at 19:47 +0100, Rowland Penny wrote:
>>>>>>>>> On 29/07/14 18:42, steve wrote:
>>>>>>>>> Hi Steve, how about bug 10508 ??
>>>>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=10508
>>>>>>>>> Rowland
>>>>>>>> Hi Rowland,
>>>>>>>> Yes, it looks possible.
>>>>>>>> Could OP tell us if his ntadmins is local to /etc/group? Also, 
>>>>>>>> the what
>>>>>>>> does:
>>>>>>>>    wbinfo --uid-to-sid=70028
>>>>>>>> give us?
>>>>>>>> Steve

More information about the samba mailing list